It’s entirely possible that the U.S. government has undergone—and is still suffering the fallout from—the harshest, most potentially devastating cyber breach in the short history of digital information.
Reuters broke the story last December that foreign entities—the National Security Agency and FBI have identified them as the Russian hacking group APT29, also known as Dark Halo or Cozy Bear (logo pictured)—had infiltrated several federal IT systems, including the Pentagon, National Institutes of Health, Homeland Security and State Department. This has been confirmed by highly-regarded security companies that include CrowdStrike, FireEye, Volexity and Microsoft, for starters.
This was a back-door attack
This was not a cyberattack per se. The perpetrators didn’t smash into these super-important systems; they slid into them on the tails of normal software updates—in this case, network monitor SolarWinds—that hundreds of IT managers activated themselves. SolarWinds, naturally, got hit with a lot of grief for these issues; however, the fact is that any one of hundreds of similar applications used by the government could have been used in the same manner. SolarWinds happens to be a highly-respected–and heavily utilized–platform.
The hackers inserted malicious code into SolarWinds Orion software updates that were pushed out to nearly 18,000 customers. Now untold terabytes of stolen data could well be in the hands of U.S. enemies.
DevSecOps people are still talking about this monumental breach for at least two reasons: a) Due to the vast nature of the U.S. government’s IT systems, it’s likely still in the systems, and b) it can and will happen again, in some form. So the analysis carries on.
In this article, we offer a cogent Q&A session with cybersecurity expert Ofer Israeli, CEO and founder of Illusive Networks. Israeli was interviewed on a segment of eWEEK eSPEAKS last fall, right before this news broke in early December.
Q: Is the SolarWinds breach a clear indicator that on-premises tooling perhaps should give way to SaaS-based tools?
Israeli: No, we don’t believe this, or past breaches, is an indictment for on-premises or cloud deployments; rather it’s a reminder of the attack surface breadth and the importance of continued diligence from all parties involved in security.
Q: If you’re using SolarWinds now and don’t have evidence of a breach yet, what should you do?
Israeli: Based on what we currently know, this attack has been going on for months within organizations’ networks. These organizations all have sophisticated security tools, teams and processes, so this attack shows that they have gaps in their lateral movement detection capabilities. We’re assuming that the attackers have infiltrated many organizations and are just waiting to finish their attack. These attackers are lying in wait and will soon become active.
Consequently, IT teams across all organizations need to do two things. First, assume there are attackers in your network–even if you don’t use SolarWinds Orion. That’s because your suppliers and/or partners might, which could mean attackers could get to you through them.
Second, safeguard possible access to the environment by locating all SolarWinds Orion instances and remediating according to vendor guidance.
Q: Describe your “Shake the tree” actionable insights approach, please.
Israeli: A lateral movement hygiene-and-detection exercise, which we call “shake the tree,” is beneficial for all at-risk organizations. This exercise has four elements:
1. Credential and pathway hygiene
Almost all significant attacks necessitate lateral movement from the entry point to the final target. To achieve this, an attacker needs both credentials and available connections between systems. The attacker prefers to move through the network using native system tools and connectivity – the “living off the land” tactic.
In an average workday, cached credentials and connections proliferate within a network. The access footprint changes continually as users log in and out, change roles, access resources and restart systems. On occasion, people intentionally gain access they shouldn’t have, but most connectivity and high-value cached credentials result from ordinary authorized activity.
Once attackers are inside the network, they use tools to automate and accelerate credential harvesting, network discovery and privilege escalation. The broader the access footprint, the more pathways an attacker has to reach their target–and the faster they can do damage. Assessing and removing unnecessary privileged credentials and connections will reduce the attack surface for this attack and others, which will improve the success security tools and teams have in detecting lateral movement and other suspicious activities.
2. Lateral movement detection
Create a plan to continuously detect any suspicious lateral movement. Don’t rely on security controls that don’t specialize in lateral movement detection, because they can yield inaccurate results. We recommend using a solution that specializes in lateral movement detection to ensure detection accuracy.
3. Reset administrator credentials
Reset all administrator passwords after completing the hygiene and lateral movement detection steps. When you do this, bad actors lose their access and are forced to move laterally and gather new privileged credentials to keep leveraging their presence on the network.
You might be tempted to take a shortcut and simply perform a password reset to prevent privilege escalation and access to key data. But it’s hard to reset every password (e.g., cached). Following these steps in order ensures that all passwords are cleared from stored locations and that the process succeeds.
4. Monitor lateral movement
Because the bad actor may work on a schedule of several days, weeks, or even months to do reconnaissance and attempt lateral movement, maintain your detection activities for an extended period–preferably within a permanent detection capability. Make sure your lateral movement detection includes detailed telemetry for the attacker so that someone can analyze their activities and tactics, and then implement targeted detection and prevention measures.